OIDC federation

Imagine that you are creating an application that accesses Amazon resources, such as GitHub Actions that uses workflows to access Amazon S3 and DynamoDB.

When you use these workflows, you make requests to Amazon services that must be signed with an Amazon access key. However, we strongly recommend that you do not store Amazon credentials long-term in applications outside Amazon. Instead, configure your applications to request temporary Amazon security credentials dynamically when needed using OIDC federation. The supplied temporary credentials map to an Amazon role that only has permissions needed to perform the tasks required by the application.

With OIDC federation, you don't need to create custom sign-in code or manage your own user identities. Instead, you can use OIDC in applications, such as GitHub Actions or any other OpenID Connect (OIDC)-compatible IdP, to authenticate with Amazon. They receive an authentication token, known as a JSON Web Token (JWT), and then exchange that token for temporary security credentials in Amazon that map to an IAM role with permissions to use specific resources in your Amazon Web Services account. Using an IdP helps you keep your Amazon Web Services account secure because you don't have to embed and distribute long-term security credentials with your application.

OIDC federation supports both machine-to-machine authentication (such as CI/CD pipelines, automated scripts, and serverless applications) and human user authentication. For human user authentication scenarios where you need to manage user sign-up, sign-in, and user profiles, consider using Amazon Cognito as an identity broker. For details about using Amazon Cognito with OIDC, see Amazon Cognito for mobile apps.

Additional resources for OIDC federation

The following resources can help you learn more about OIDC federation: